In June, the HIPAA Journal reported a story that seems to be the trifecta of insider threat, third party risk, and medical technology risk. A terminated subcontractor employee of a medical transcription service stole at least one million patient records. The authorities arrested the individual, but it is unclear if any of the records were sold to malicious data brokers. At least one victim has filed a class action lawsuit against the parent company and the subcontractor. This class action lawsuit makes it evident that it is time to add civil litigation to the list of possible consequences as a result of a breach.
Many times, cybersecurity professionals speak of reputational damage that can befall a victimized corporation. When we think of reputation, it is usually in the context of an individual’s or corporation’s standing in the general community. The implication that a company can suffer reputational damage form a breach sparks images of people protesting in the streets over a company’s failed cybersecurity practices. To date, this has never happened.
In fact, there is no hard evidence of a company ever suffering crippling consumer-driven reputational damage from a cybersecurity incident. Reputational damage seems to be the newest form of fear being perpetrated by our own security professionals. This not only rings false when placed against recent events, but it is sure to anger stakeholders when it is used as a method to improve security.
The C-level executives are the stewards of a company, often sacrificing much of their personal time to keep a company functioning. Whether it is a small business with only a few employees, or a large corporation, the people in charge have true concerns about keeping the business profitable. Some of the real perils that can befall a company include workforce actions, poor decisions leading to reduced sales, sunk costs on failed projects, and natural disasters. These are very real concerns that strip bare any false warnings about customers walking away from a company due to a cyber event.
Many times, the damage suffered by a company is the result of stock market fluctuations, rather than any public outcry. For example, on July 19, the world awoke to a major internet outage caused by an update to the Crowdstrike security platform. The outage impacted Windows-based systems, which grounded airplanes, impacted hospitals, banks, energy companies, and just about every business that had even the most peripheral connection to the Crowdstrike platform.
A patch was released, however, after the initial impact and subsequent recovery, Crowdstrike stock dropped more than 12% over the course of the trading day, and continued a downward trend over the remainder of the month, losing more than 25% of its value. The global impact was estimated to be in the billions of dollars of lost revenue. It is notable that the revenue loss was the result of a technological blunder, rather than the result of a breach or privacy violation. The damage is also not driven by consumer reaction. It is also predicted that Crowdstrike will recover its value over the next few months.
Similar market turbulence was seen at the end of July, when Intel Corporation announced that they were reducing their staff as part of a corporate downsizing action. This caused Intel’s stock price to dip more than 26% in one day. Overall, Intel has lost 55% of its value from January of this year. The obvious reason stems from competition from other chip manufacturers, rather than any reputational damage.
Stock market voracity is not necessarily a representation of public sentiment.
Many times, consumers feel that they have no recourse when a company is victimized by cybercrime. When AT&T suffered a major breach this year, everyone did not throw away their AT&T devices and switch to another carrier. The same is true of Ticketmaster, which also was targeted by cybercrime. Both of these companies continue to function.
It would seem that the cries of breach-weary consumers have little to no impact on company performance. In fact, not only is one hard pressed to find any consumer-based outcry at all, complacency seems to be the response.
For example, consumers have the power to protect themselves. Remedies such as credit monitoring, as well as self-initiated actions such as free credit freezes and fraud alerts are actions that everyone should take to better protect themselves against identity thieves. Sadly, according to one pandemic-era report, “almost half of cardholders said they were notified that their personal information was exposed in a data breach over the past year, but only 9 percent had frozen their credit.” The use of Multi-Factor Authentication (MFA), as well as password manager usage is equally discouraging.
Above all, cybersecurity professionals should temper the false notion of reputational damage when presenting the benefits of security to a business owner. There are enough real risks that need to be addressed before using irrational fear as a selling point for cybersecurity.
Bob Covello is a technology veteran with a passion for security topics. He is also a volunteer for various organizations focused on helping others both within and beyond the cybersecurity community.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.